external links

Encrypt files with a passphrase

    gpg --symmetric filename.bin
creates file filename.bin.gpg encrypted with a passphrase that you have to give as input.
    gpg --decrypt -o filename.bin filename.bin.gpg
Decrypt the file and writes the data to the file given by option -o instead of writing to the standard output device.

signatures for emails or files

 gpg --sign --armor plaintext.txt
 gpg --verify plaintext.txt.asc
 gpg --decrypt plaintext.txt.asc > plaintext.txt
The original file does not need to be present where the verification takes place. It will be genereated through the signature.
 gpg --clearsign plaintext.txt
 gpg --verify plaintext.txt.asc
here the original message will be placed together with the signature. The message text stays plain!
 gpg --detach-sign filename
 gpg --verify filename.gpg filename
You have to have the file there where you want to verify the signature.

security with every mail client you want

If you want to send secret emails but your favourite client does not use any cryptology there is nevertheless a solution. You only need GnuGPG installed. After generating a key for your encryption/decryption.

 gpg --encryption --armor --recipient bob << EOM
 >this is secret

The ascii characters that will be printed out you can easily insert per mark&paste into your edit/compose window of your mail client. Afterwards send this to bob. He has to decrypt with

 gpg --decrypt << EOM

and paste also per mark&paste the ascii part of the email here into the shell and see what is supposed only for his eyes.

short reference

 gpg --gen-key
generates a key for you or some guy. let's call him Bob. So we use bob as "real name".
 gpg --export --armor bob > bob.asc
exports the public key. For exporting the private key use --export-secret-key
 scp bob.asc webserver:

Now Bob's public key is on the webserver. Alice has to import it to write a encrypted message to Bob.

 wget http://webserver/bob.asc 


 scp webserver:bob.asc .
 gpg --import bob.asc
 gpg --encypt --armor --recipients bob file_with_sec.txt
creates file_with_sec.txt.asc. This file can be send by mail or something else. Here we take ssh.
 scp file_with_sec.txt.asc bobs_computer:

After this Bob decrypts file_with_sec.txt.asc with

 gpg --decrypt file_with_sec.txt.asc
Then you have to give the secret passphrase that you entered while key generation process.

The passphrase protects the private key from accessing except you.

sign a file

 gpg --sign filename
 gpg --verify filename.gpg
 gpg --encrypt --sign -r bob secrettextfile.doc
add --armor if you want to send it via email to create ascii instead of binary data.

use --clearsign if you want the data in readable form:

 gpg --clearsign cleartext.txt

 gpg --detach-sign filename
creates a binary signature with extension .gpg

To verify against the original file:

 gpg --detach-sign cleartext.txt
 gpg --verify cleartext.txt.asc cleartext.txt

 gpg --encrypt --sign -r bob rechnung.sxc
If decrypted the plaintext will also be printed.

things to know

 gpg --gen-key
creates a new key pair

Afterwards think about securing the directory where the key are stored with

 chmod 700 .gnupg -R

With "shred" you can overwrite a file to hide its contents. To export the key to an external media after creating them on the hard disk use

 shred *ring.gpg 

in .gnupg directory.

contains private keys.
contains all public keys. Also the keys from other persons.
 gpg --list-keys
shows all public keys.

gpg --gen-revoke <keyid>

revokes a key which was being created.

gpg --edit-key <keyid> or <userid>

  1. quit
  2. save
  3. help
  4. fpr
  5. list
  6. uid
  7. key
  8. check
  9. sign
  10. lsign
  11. nrsign
  12. nrlsign
  13. adduid
  14. addphoto
  15. deluid
  16. addkey
  17. delkey
  18. addrevoker
  19. delsig
  20. expire
  21. primary
  22. toggle
  23. pref
  24. showpref
  25. setpref
  26. updpref
  27. passwd
  28. trust
  29. revsig
  30. revuid
  31. revkey
  32. disable
  33. enable
  34. showphoto

export a public key

 gpg --export --armor alice > alice.asc
exports as ascii text. Without parameter --armor the outcome will be a binary file.
 gpg --keyserver keyserver --send-key keyid
exports to keyserver

import public key

 gpg --import bob.ascii
imports public key from bob as ascii text.
 gpg --rec-key ABDD123
receives key with this id.

To verify the received key you can ask Bob for a fingerprint and compare it with the outcome of:

 gpg --fingerprint bob

To set the status of the key to "trust" do the following:

 gpg --edit-key bob
 Your decision? 4

The level of trust can be

gpg --search-keys Pattern Patternoix gpg --list-sigs bob